The recently identified exploit strain targets the same unpatched vulnerability in IE 6, 7, 8 and 9 as the master exploit, but applies slightly different code and has a different payload, AlienVault Labs manager Jaime Blasco described Tuesday in a blog post.

AlienVault researchers have been going after attacks that apply the PlugX RAT since earlier this year. Based on file debug paths discovered inside the malware, they think that the relatively new RAT was developed by a Chinese hacker recognized as WHG, who had previous ties with the Network Crack Program Hacker (NCPH), a familiar Chinese hacker group.

“We know that the group actively using the PlugX malware also called Flowershow had access to the Internet Explorer ZeroDay [exploit targeting an unpatched vulnerability] days before it was uncovered,” Blasco said. “Due to the similarities of the new discovered exploit code and the one discovered some days ago it is very likely that the same group is behind both instances.”